I, BRUCE HOULTON SLANE, Privacy Commissioner, having given notice in accordance with section 48(1) of the Privacy Act 1993 of my intention to issue a code of practice and having satisfied the other requirements of the subsection, now issue under section 46 of the Act the Telecommunications Information Privacy Code 2003.
Issued by me at Auckland on 2 May 2003
THE SEAL of the Privacy Commissioner was affixed to this code of practice by the Privacy Commissioner
B H Slane, Privacy Commissioner
PART 1.- PRELIMINARY
1.- Title
This code of practice may be referred to as the Telecommunications Information Privacy Code 2003.
2.- Commencement
(1) Subject to subclause (2), this code will come into force on 1 November 2003.
(2) Clauses 3(e) and (f) of Schedule 2 will come into force on 1 April 2005.
3.- Interpretation
In this code:
Act means the Privacy Act 1993
call means a telephone call
call associated data has the same meaning as in section 2(1) of the Telecommunications (Residual Provisions) Act 1987
CLIP means Calling Line Identification Presentation, being technology which enables an answerer (or a device receiving a call) to identify the calling number, name of the subscriber and time and date of the call, prior to answering the call or in the course of receiving a message
CMS means call management service
direct marketing means:
(a) the offering of goods or services; or
(b) the advertising of the availability of goods or services; or
(c) the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political, or other purposes, by means of:
(d) information or goods sent to any person by mail, facsimile transmission, electronic mail, or other similar means of communication, where the information or goods are addressed to a specific person or specific persons by name; or
(e) calls made to specific persons by name, but does not include:
(f) information sent by a telecommunications agency to a subscriber advising of a rate or service change to an existing service; or
(g) information sent by a telecommunications agency to a subscriber advising of alternative services, or charging plans, which may be of interest to the subscriber as a result of a rate or service change to an existing service.
directory means a list of the names and contact details of subscribers, whether in printed or electronic form, available to the public or a section of the public
directory enquiry agency means an agency which provides a directory enquiry service
directory enquiry service means a service which provides subscriber contact details on request
directory publisher means an agency which prepares or publishes a directory
Internet service provider means a service provider which provides access to the Internet
linked traffic information means traffic information which islinked to, or matched with, subscriber information by a telecommunications agency
network has the same meaning as in section 5 of the Telecommunications Act 2001
network operator has the same meaning as in section 5 of the Telecommunications Act 2001
reverse search facility means a directory which is arranged, or a directory enquiry service which is operated, for the purpose of enabling an individual´s name or address to be obtained by reference to a telephone number alone or an address alone, or a combination of telephone number and address
seamless means the provision of a telecommunications service in such a way that it is not evident to the subscriber that a particular service may be or has been delivered by different networks, equipment or providers
subscriber means an individual who has entered into a contract with a telecommunications agency for the supply of a telecommunications service
subscriber information means personal information about a subscriber which is obtained by a telecommunications agency when that subscriber subscribes to a telecommunications service or during the term of such a contractual relationship
telecommunication has the same meaning as in section 5 of the Telecommunications Act 2001
telecommunications agency means an agency of a class listed in subclause 4(2)
telecommunications information means information listed in subclause 4(1)
telecommunications service has the same meaning as in section 5 of the Telecommunications Act 2001
telecommunications service provider has the same meaning as in section 5 of the Telecommunications Act 2001
traffic information means call associated data and any other dialling or signalling information generated as the result of making a telecommunication (whether or not the telecommunication is sent or received successfully).
4.- Application of code
(1) This code applies to information about an identifiable individual that is:
(a) subscriber information;
(b) traffic information;
(c) the content of a telecommunication.
(2) This code applies to the following classes of agency:
(a) a network operator;
(b) a telecommunications service provider;
(c) a directory publisher;
(d) a directory enquiry agency;
(e) an Internet service provider;
(f) a call centre which provides call centre services on contract to another agency;
(g) a mobile telephone retailer.
PART 2.- TELECOMMUNICATIONS INFORMATION PRIVACY RULES
5.- Telecommunications information privacy rules
In accordance with the Act, the following rules modify the application of the information privacy principles, prescribe how the principles are to be applied or complied with and apply some principles without modification:
Rule 1.- Purpose of Collection of Telecommunications Information
Telecommunications information must not be collected by a telecommunications agency unless:
(a) the information is collected for a lawful purpose connected with a function or activity of the agency; and
(b) the collection of the information is necessary for that purpose.
Rule 2.- Source of Telecommunications Information
(1) Where a telecommunications agency collects telecommunication information, it must collect the information directly from the individual concerned.
(2) It is not necessary for a telecommunications agency to comply with subrule (1) if the agency believes on reasonable grounds:
(a) that the information is publicly available information;
(b) that the individual concerned authorises the collection of the information from another source;
(c) that non-compliance would not prejudice the interests of the individual concerned;
(d) that non-compliance is necessary:
(i) to avoid prejudice to the maintenance of the law by any public sector agency including the prevention, detection, investigation, prosecution and punishment of offences;
(ii) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation);
(iii) for the purpose of preventing or investigating an action or threat that may compromise network or service security or integrity;
(e) that compliance would prejudice the purpose of collection;
(f) that compliance is not reasonably practicable in the circumstances of the particular case;
(g) that the information:
(i) will not be used in a form in which the individual concerned is identified; or
(ii) will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned;
(h) that the information is traffic information;
(i) that the collection is an essential element of service provision or the interconnection, wholesaling or similar arrangements between network operators;
(j) that the information is necessary to deal with a service or billing enquiry and the collection is from:
(i) a member of the subscriber´s household; or
(ii) a representative of a business subscriber;
(k) that the information is subscriber information and the collection is from a network operator or Internet service provider or any other agency providing telecommunication service to persons outside that agency: 10
(i) by a directory publisher for the purpose of inclusion in a directory in accordance with the requirements of Schedule 2;
(ii) by a directory enquiry agency for the purpose of making the information available through a directory enquiry service in accordance with the requirements of Schedule 2; or
(l) that the collection is in accordance with an authority granted under section 54 of the Act.
Rule 3.- Collection of Telecommunications Information from Individual
(1) Where a telecommunications agency collects telecommunications information directly from the individual concerned, the agency must take such steps(if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of:
(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information;
(d) the name and address of:
(i) the agency that is collecting the information; and
(ii) the agency that will hold the information;
(e) if the collection of the information is authorised or required by or under law:
(i) the particular law by or under which the collection is authorised or required; and
(ii) whether or not the supply of the information by that individual is voluntary or mandatory;
(f) the consequences (if any) for that individual if all or any part of the requested information is not provided; and
(g) the rights of access to, and correction of, telecommunications information provided by rules 6 and 7.
(2) The stepsreferred to in subrule (1) must be taken before the information is collected or, if that is not practicable, as soon as practicable after it is collected.
(3) A telecommunications agency is not required to take the steps referred to in subrule (1) in relation to the collection of telecommunications information from an individual if that agency hastaken those stepsin relation to the collection, from that individual, of the same information or information of the same kind, on a recent previous occasion.
(4) It is not necessary for a telecommunications agency to comply with subrule (1) if it believes, on reasonable grounds:
(a) that non-compliance would not prejudice the interests of the individual concerned;
(b) that non-compliance is necessary:
(i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution and punishment of offences;
(ii) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(iii) for the purpose of preventing or investigating an action or threat that may compromise network or service security or integrity;
(c) that compliance would prejudice the purposes of collection;
(d) that compliance is not reasonably practicable in the circumstances of the particular case;
(e) that the information will not be used in a form in which the individual concerned is identified; or
(f) that the collection is for the purposes of interconnection or the delivery of a CMS.
Rule 4.- Manner of Collection of Telecommunications Information
(1) Telecommunications information must not be collected by a telecommunications agency:
(a) by unlawful means; or
(b) by means that, in the circumstances of the case:
(i) are unfair; or
(ii) intrude to an unreasonable extent upon the personal affairs of the individual concerned.
(2) Subject to section 107 of the Telecommunications Act 2001, a network operator or Internet service provider may monitor the call associated data of an individual where necessary for the purpose of investigating an action that may threaten network security or integrity.
Rule 5.- Storage and Security of Telecommunications Information
(1) A telecommunications agency that holds telecommunications information must ensure:
(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against:
(i) loss;
(ii) access, use, modification, or disclosure, except with the authority of the agency; and
(iii) other misuse; and
(b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the telecommunications agency, everything reasonably within the power of that agency is done to prevent unauthorised use or unauthorised disclosure of the information.
(2) This rule applies to telecommunications information obtained before or after the commencement of this code.
Rule 6.- Access to Telecommunications Information by Individual Concerned
(1) Where a telecommunications agency holds telecommunications information in such a way that it can readily be retrieved, the individual concerned is entitled:
(a) to obtain from the agency confirmation of whether or not it holds such information; and
(b) to have access to that information.
(2) Where, in accordance with subrule (1)(b), an individual is given access to telecommunications information, the individual must be advised that, under rule 7, the individual may request the correction of that information.
(3) When a telecommunications agency refuses a request under subrule (1), it must advise the individual of the complaints process available under Schedule 1.
(4) A network operator (other than a public sector agency) may refuse to disclose to a requester linked traffic information which may reveal the identity of another individual or subscriber.
(5) The application of subrules (1) and (2) is subject to the provisions of:
(a) Part 4 of the Act (which sets out reasons for refusing access to information); and
(b) Part 5 of the Act (which sets out procedural provisions relating to access to information).
(6) This rule applies to telecommunications information obtained before or after the commencement of this code.
Rule 7.- Correction of Telecommunications Information
(1) Where a telecommunications agency holds telecommunications information, the individual concerned is entitled:
(a) to request correction of the information; and
(b) to request that there be attached to the information a statement of the correction sought but not made.
(2) Where a telecommunications agency holds telecommunications information it must, if so requested by the individual concerned or on its own initiative, take such steps(if any) to correct that information as are, in the circumstances, reasonable to ensure that, having regard to the purposes for which the information may lawfully be used, it is accurate, up to date, complete and not misleading.
(3) Where a telecommunications agency that holds telecommunications information is not willing to correct the information in accordance with a request by the individual concerned, it must, if so requested, take such steps(if any) as are reasonable in the circumstances to attach to the information, in such a manner that it will always be read with the information, any statement provided by the individual of the correction sought.
(4) Where a telecommunications agency has taken steps under subrules (2) or (3), it must, if reasonably practicable, inform each person or body or agency to whom the information has been disclosed of those steps.
(5) Where a telecommunications agency receives a request made under subrule (1), it must:
(a) inform the individual concerned of the action taken as a result of the request; and
(b) if it refuses the request, advise the individual of the complaints process available under Schedule 1.
(6) The application of this rule is subject to the provisions of Part 5 of the Act (which sets out procedural provisions relating to correction of information).
(7) This rule applies to telecommunications information obtained before or after the commencement of this code.
Rule 8.- Accuracy etc of Telecommunications Information to be checked before use
(1) A telecommunications agency that holds telecommunications information must not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.
(2) This rule applies to telecommunications information obtained before or after the commencement of this code.
Rule 9.- Retention of Telecommunications Information
(1) A telecommunications agency that holds telecommunications information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.
(2) This rule applies to telecommunications information obtained before or after the commencement of this code.
Rule 10.- Limits on use of Telecommunications Information
(1) A telecommunications agency that holds telecommunications information that was obtained in connection with one purpose must not use the information for any other purpose unless the agency believes on reasonable grounds:
(a) that the source of the information is a publicly available publication;
(b) that the use of the information for that other purpose is authorised by the individual concerned, provided that if the other purpose is for direct marketing the individual has been advised that he or she may withdraw such authorisation at any time;
(c) that non-compliance is necessary:
(i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences;
(ii) for the protection of the public revenue;
(iii) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(iv) for the purpose of preventing or investigating an action or threat that may compromise network or service security or integrity;
(d) that the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to:
(i) public health or public safety; or
(ii) the life or health of the individual concerned or another individual;
(e) that the purpose for which the information is used is directly related to the purpose in connection with which the information was obtained;
(f) that the information:
(i) is used in a form in which the individual concerned is not identified; or
(ii) is used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned;
(g) that the use of the information is necessary to investigate a complaint concerning a malicious or nuisance telecommunication and to take appropriate action;
(h) that the use of the information is necessary for:
(i) the provision of a seamless telecommunications service to subscribers;
(ii) the development or supply of any broadband, intelligent, interactive or multimedia services or other forms of telecommunications service;
(iii) the provision of a CMS; or
(iv) the purpose of interconnection, wholesaling or similar arrangements between network operators; or
(i) that the use of the information is in accordance with an authority granted under section 54 of the Act.
(2) A telecommunications agency must not use traffic information obtained as a result of interconnection, wholesaling or similar arrangements between network operators for the purposes of direct marketing to an individual who is not a subscriber of the agency without the authorisation of that individual.
(3) This rule does not apply to telecommunications information obtained before 1 July 1993.
Rule 11.- Limits on Disclosure of Telecommunications Information
(1) A telecommunications agency that holds telecommunications information must not disclose the information unless the agency believes, on reasonable grounds:
(a) that the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained;
(b) that the source of the information is a publicly available publication;
(c) that the disclosure is to the individual concerned;
(d) that the disclosure is authorised by the individual concerned;
(e) that the disclosure is to a subscriber for billing purposes and the information identifies the details of a call for which a specific charge is made, such as a toll call, collect call, or an 0800 or 0900 (or equivalent) call;
(f) that non-compliance is necessary:
(i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution and punishment of offences;
(ii) for the enforcement of a law imposing a pecuniary penalty;
(iii) for the protection of the public revenue;
(iv) for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
(v) for the purpose of preventing or investigating an action or threat that may compromise network or service security or integrity;
(g) that the disclosure of the information is necessary to prevent or lessen a serious and imminent threat to:
(i) public health or public safety; or
(ii) the life or health of the individual concerned or another individual;
(h) that the disclosure is necessary to enable emergency services to respond to a potential threat to the life or health of the individual concerned or another individual;
(i) that the disclosure of the information is necessary to facilitate the sale or other disposition of a business as a going concern;
(j) that the information:
(i) is to be used in a form in which the individual concerned is not identified; or
(ii) is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned;
(k) that the disclosure is necessary to deal with a service or billing enquiry and the disclosure is to:
(i) a member of a subscriber´s household; or
(ii) a representative of a business subscriber;
who appear to be acting on behalf of the subscriber;
(l) that the disclosure of the information is necessary for:
(i) the provision of a seamless telecommunications service to subscribers;
(ii) the development or supply of any broadband, intelligent, interactive or multimedia services or other forms of telecommunications service;
(iii) the provision of a CMS; or
(iv) interconnection, wholesaling or similar arrangements between network operators;
(m) that the information is information enabling a subscriber to be identified and contacted and the disclosure is by inclusion in a directory or directory enquiry service, or by disclosure to a directory publisher or directory enquiry agency for inclusion in a directory or directory enquiry service, and the disclosure is authorised by the subscriber concerned and in accordance with the requirements of Schedule 2;
(n) that the disclosure is by means of CLIP and is in accordance with the requirements of Schedule 3; or
(o) that the disclosure of the information isin accordance with an authority granted under section 54 of the Act.
(2) This rule applies to telecommunications information obtained before or after the commencement of this code.
Rule 12.- Unique Identifiers
(1) A telecommunications agency must not assign a unique identifier to an individual unless the assignment of that identifier is necessary to enable the agency to carry out any one or more of its functions efficiently.
(2) A telecommunications agency must not assign to an individual a unique identifier that, to that agency´s knowledge, has been assigned to that individual by another agency, unless:
(a) both agencies are associated persons within the meaning of section OD7 of the Income Tax Act 1994; or
(b) it is permitted by subrule (5).
(3) A telecommunications agency that assigns unique identifiers to individuals must take all reasonable steps to ensure that unique identifiers are assigned only to individuals whose identity is clearly established.
(4) A telecommunications agency must not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or for a purpose that is directly related to one of those purposes.
(5) Notwithstanding subrules (2) and (3), a telecommunications agency may identify a telephone installation or an individual associated with that installation by reference to a number or identifier generated or assigned by another telecommunications agency where that is necessary for interconnection, wholesaling or similar arrangements between telecommunications agencies or between a telecommunications agency and another agency providing telecommunications service.
(6) Subrules (1), (2), (3) and (5) do not apply in relation to the assignment of unique identifiers before the commencement of this code.
(7) Subrule (4) applies to any unique identifier, whether assigned before or after the commencement of this code.
SCHEDULES
SCHEDULE 1.- COMPLAINTS OF BREACH OF CODE
1.- Each telecommunications agency must designate a person or persons to deal with complaints alleging a breach of this code and facilitate the fair, simple, speedy and efficient resolution of complaints.
2.- Each telecommunications agency must have a complaints procedure which provides that:
(a) when a complaint of a breach of this code is received:
(i) the complaint is acknowledged within 5 working days of receipt, unless it has been resolved to the satisfaction of the complainant within that period;
(ii) the complainant is informed of any relevant internal and external complaints procedures; and
(iii) the complaint and the actions of the agency regarding that complaint are documented;
(b) within 10 working days of acknowledging the complaint, the agency must:
(i) decide whether it:
(A) accepts that the complaint is justified;
(B) not accept that the complaint is justified; or
(ii) if it decides that more time is needed to investigate the complaint:
(A) determine how much additional time is needed; and
(B) if that additional time is more than 20 working days, inform the complainant of that determination and of the reasons for it; and
(c) as soon as practicable after the agency decides whether or not it accepts that a complaint is justified, it must inform the complainant of:
(i) the reasons for the decision;
(ii) any actions the agency proposes to take; and
(iii) the right to complain to the Privacy Commissioner
3.- Nothing in this Schedule limits or restricts any provision of the Act.
SCHEDULE 2.- DIRECTORIES AND DIRECTORY ENQUIRY SERVICES
1.- Any disclosure made under rule 11(1)(m) must be in accordance with:
(a) the agency´s policy notified generally or to the subscriber concerned;
(b) any authorisation given by the subscriber; and
(c) clauses 2, 3, 7, 8 and 9.
2.- A network operator or Internet service provider must not make it a condition of supply of telecommunications services that subscriber information be published in a directory or be made available through a directory enquiries service.
3.- Unless the subscriber concerned explicitly authorises to the contrary, a directory publisher or directory enquiry agency must arrange a directory or operate a directory enquiry service so that:
(a) to search for a subscriber´s telephone number:
(i) using a directory enquiry service, an enquirer is required to provide both the approximate name and approximate address of the subscriber being sought;
(ii) using an electronic directory, a searcher is required to provide the approximate name of the subscriber being sought;
(b) where a subscriber´s name, address and telephone number is published or displayed in printed or electronic form it is ordered alphabetically by the name of the subscriber concerned;
(c) where a subscriber´s name, address and telephone number is published or displayed in a directory it is not ordered to allow searches by address only;
(d) subscriber information is not disclosed by way of a reverse search facility;
(e) where a subscriber has expressed a preference for his or her name to appear in the directory in a certain form, the name is not published in any other form;
(f) where a subscriber requests that only part of his or her address is included in a directory, his or her full address is not published.
4.- Clauses 3(a), (b), (c) and (d) do not apply in relation to a business subscriber.
5.- Notwithstanding clauses 3(e) and (f), a telecommunications agency is not required to seek explicit authorisation from an existing subscriber as to the form in which that subscriber´s name or address is to appear in a directory (including a reprinted or re-issued directory) or a directory enquiry service, but must act upon any request received.
6.- For the purposes of clause 5, an existing subscriber means a subscriber who has, as at 1 April 2005, authorised a telecommunications agency to include his or her details in a published or compiled directory.
7.- Where a telecommunications agency discloses subscriber information to a directory agency or a directory enquiry agency for the purposes of inclusion in a directory or directory enquiry service, the agency must do everything reasonably within its power to ensure that the directory publisher or directory enquiry agency will comply with the requirements of this code in relation to the publication or release of the subscriber information.
8.- Where an agency intends to seek explicit authorisation from a subscriber for a practice that would otherwise be contrary to clause 3, it must:
(a) notify the subscriber concerned directly of the agency´s policy and the available options before obtaining the authorisation;
(b) advise the subscriber that it is not mandatory for the information to be disclosed in the directory or directory enquiry service; and
(c) inform the subscriber that the authorisation may in the future be withdrawn and explain how this may be done.
9.- A telecommunications agency must take such steps as are, in the circumstances, reasonable to ensure that subscribers are aware of the agency´s practices in relation to directories and directory enquiry services and of the options available concerning the fact and form of publication, release or withholding of subscriber details in full or in part.
10.- Without limiting clause 9, a telecommunications agency that publishes a directory on the Internet must:
(a) take such steps as are, in the circumstances, reasonable to ensure that affected subscribers are aware that information about them is published in this manner and the implications for the accessibility of the information by other people (for example, any significant differences from the way in which the information may otherwise be made available in non-electronic directories);
(b) promptly act to remove information relating to a subscriber from the Internet directory where that subscriber withdraws his or her authorisation for inclusion.
SCHEDULE 3.- CALLER LINE INFORMATION PRESENTATION
1.- A telecommunications agency may disclose telecommunications information by means of CLIP, provided that:
(a) subscribers are given the option to block the display of calling line identity on a per-line basis for both incoming and outgoing calls;
(b) callers are given the means to block the display of calling line identity on a per-call basis for outbound calls; and
(c) the agency takes reasonable steps to ensure that:
(i) subscribers are made aware of the option to have per-line blocking; and
(ii) users of the network are made aware of the ability to utilise per-call blocking;
(d) simple means are available for:
(i) obtaining per-line blocking;
(ii) exercising per-call blocking; and
(iii) ascertaining whether an outgoing line is blocked; and
(e) the option to obtain per-line blocking, and the means to obtain per-call blocking and to ascertain whether an outgoing line is blocked, are made available free of charge.
2.- A telecommunications agency may override any block applied pursuant to clauses 1(a) or (b) if the call is a 111 call.
3.- A telecommunications agency is not required to provide the options in clauses 1(a) and (b) in respect of a particular subscriber´s line where it believes, on reasonable grounds, that:
(a) the line is used for direct marketing purposes; or
(b) the line has been misused for the purpose of disturbing, annoying or irritating any person, and the agency advises the subscriber that blocking will not be, or is no longer to be, provided on that line.
4.- A telecommunications agency is not required to provide the options and means referred to in clauses 1(a) and (b) where the availability of an answer-back function is inherent in the nature of the service being provided to the subscriber concerned.